As much of the world continues to work remotely, organizations increasingly find themselves looking for reliable ways of authenticating employees’ identities when providing them with telephone-based support. After all, in a large organization, it is impossible for the support staff to know every employee. This makes it challenging to differentiate between a trusted employee and a scammer who is trying to gain access to the organization’s IT resources. Voiceprint biometrics technology may help organizations authenticate users--without requiring them to give up sensitive information.
Organizations have historically used any number of mechanisms to verify a caller’s identity, but each of these methods has its shortcomings. Sending the person a code via SMS text message and asking them to read it back, for example, does not truly verify the caller’s identity. It only proves that the caller is in possession of the employee’s phone.
Security Challenge Questions
Another popular technique for verifying a caller’s identity is to ask the caller a security challenge question. While this method was once thought to be effective, it has become increasingly clear that it is problematic for several reasons.
Imagine for a moment that a hacker wants to gain access to an organization’s IT resources. A first step might be to call the organization’s help desk, posing as a low-level employee and requesting a password reset. When the help desk technician asks the security challenge question, the attacker simply hangs up. At that point, the hacker has learned at least one of the questions that is used to verify caller identities. An attacker might then call back any number of times over the following weeks, impersonating other employees. The goal is to assemble a comprehensive list of the security challenge questions that the organization asks.
Once the attacker has assembled this list, he or she can go on various social media sites and research the company’s senior executives or its IT staff. In doing, the attacker is likely to be able to determine the answers to many of the security challenge questions. Keep in mind that even if an employee does not post sensitive information on social media, a wealth of information is available in public records and on background-check sites.
Another problem with using security challenge questions is that the questions can actually put employees’ privacy at risk. Suppose that an employee calls the organization’s help desk to request a password reset and the technician asks the employee for the answer to a security challenge question. In doing so, the employee is exposing a sensitive piece of information to the help desk employee. The help desk employee now knows the answer to that employee’s security challenge question and could theoretically use that information for nefarious purposes.
For these and other reasons, organizations are increasingly abandoning the use of traditional security challenge questions in favor of other mechanisms. One solution that some organizations are using involves using only a portion of the security challenge question. Rather than asking the caller a question like where did you go to elementary school, the help desk technician might instead ask callers for the last letter in the name of the elementary school that they attended. Callers have only a 3.8% chance of getting the answer right by guessing, and this method eliminates the need for employees to disclose sensitive information.
Voiceprint Technology Option
Another way in which organizations are combating help desk fraud is through the use of voiceprint technology. Voiceprint is based on the idea that everyone’s voice is unique. We all speak in our own unique pitch, and we tend to have certain linguistic nuances such as accents or phrases that we use often. Voiceprint technology examines these and other characteristics in an effort to positively identify callers by listening to the sound of their voices and to what they say.
Although voiceprint technology has enormous potential, it isn’t perfect. An organization must consider, for instance, whether voice print will be effective if an employee has a cold or a facial injury such as a broken jaw.
Perhaps more troubling is the idea that, just as AI can be used to positively identify people by the sound of their voices, the technology could conceivably work in the opposite way and be used to perfectly mimic an employee’s voice in an effort to fool a voice print engine. A few years ago, Fast Company did a story on how a tech startup named Lyrebird had used AI to impersonate various politicians. While far from perfect, the company’s proof-of-concept website clearly illustrates the fact that work is being done on voice spoofing.
My guess is that although voice spoofing technology does exist, voiceprint technology will prove to be a viable alternative to security challenge questions for most users. The reason for this is that if an attacker wanted to use AI to spoof someone’s voice, the attacker would need a large voice sample to train the AI against. Obtaining such a sample might be possible if the attacker is targeting the CEO, or if the employee also happens to have his or her own podcast, but getting a sufficient audio sample for a random employee would likely be a tall order.
Besides, there is no rule that says that voiceprint technology has to be used by itself. Security should always be implemented in depth. As such, an organization might consider using some form of multifactor authentication for callers. This might involve using both voiceprint and a security question to establish a caller’s identity.